heat_template_version: rocky

description: Enables IPSEC for the overcloud

parameters:
  RoleNetIpMap:
    default: {}
    type: json
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json

  IpsecVars:
    default: {}
    description: Hash of ansible-tripleo-ipsec variables used to
                 configure IPSec tunnels.
    type: json

outputs:
  role_data:
    description: Role data for the IPSEC service
    value:
      service_name: ipsec
      firewall_rules:
        '100 IPSEC IKE INPUT':
          dport: 500
          sport: 500
          proto: udp
          chain: INPUT
        '100 IPSEC IKE OUTPUT':
          dport: 500
          sport: 500
          proto: udp
          chain: OUTPUT
        '100 IPSEC IKE NAT-Traversal INPUT':
          dport: 4500
          sport: 4500
          proto: udp
          chain: INPUT
        '100 IPSEC IKE NAT-Traversal OUTPUT':
          dport: 4500
          sport: 4500
          proto: udp
          chain: OUTPUT
        '100 IPSEC ESP INPUT':
          proto: esp
          chain: INPUT
        '100 IPSEC ESP OUTPUT':
          proto: esp
          chain: OUTPUT
        '100 IPSEC Authentication Header INPUT':
          proto: ah
          chain: INPUT
        '100 IPSEC Authentication Header OUTPUT':
          proto: ah
          chain: OUTPUT
      upgrade_tasks: []
      external_deploy_tasks:
        - name: IPSEC configuration on step 1
          when: step|int == 1
          block:
          - name: Generate PSK
            command: openssl rand -base64 48
            register: generated_psk
            no_log: "{{ hide_sensitive_logs | bool }}"
          - name: generate ipsec global vars
            set_fact:
              ipsec_psk: "{{ generated_psk.stdout }}"
            delegate_to: "{{item}}"
            delegate_facts: true
            no_log: "{{ hide_sensitive_logs | bool }}"
            with_items:
            - "{{ groups.ipsec }}"
      deploy_steps_tasks:
        - name: IPSEC configuration on step 1
          when: step|int == 1
          block:
          - include_role:
              name: tripleo_ipsec
            vars:
              map_merge:
              - ipsec_configure_vips: false
                ipsec_skip_firewall_rules: false
              - {get_param: IpsecVars}
        # In step 2 the pacemaker resources are created and the VIPs
        # are assigned to the nodes. We need those VIPs to be assigned
        # already before setting up the IPSEC tunnels. Hence we do this
        # in step 3.
        - name: IPSEC configuration on step 3
          when: step|int == 3
          block:
          - include_role:
              name: tripleo_ipsec
            vars:
              map_merge:
              - ipsec_configure_vips: true
                ipsec_skip_firewall_rules: true
              - {get_param: IpsecVars}